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The subject matter of this thesis is part of what can be called 
"Systemics," or System Theory, the science that analyzes and describes 
complex systems, patterns of interaction, communication between parts 
of a system, understanding of a system by understanding its parts and 
the interrelation of parts, and the like. Operational research has been 
applied to study such systems numerically, to compare operating strate- 
gies, to optimize. But our approach is structural, i.e. we are inter- 
ested in the structural relations and dependencies of the system. Thus 
we have notions such as: 

a) Operations A and B are concurrent, that is, either can precede 
the other, they may overlap in time, and which one of the above 
situations occurs is irrelevant. In some way, A and B are 
temporally independent. 

b) Operation C must wait for both A and B to complete. 

c) Operations D and E must both wait for C, but either one ex- 
cludes the other, i.e. if D takes place, E cannot and vice 
versa. This is called a conflict situation, and related to it 
is the concept of decision (to resolve conflict) and branching. 

d) Deadlock situation: A certain operation A must wait (depends 
on results of) operations B, but operation B must wait for A: 
The system hangs up, it is in a hang-up state, or deadlocked. 

e) Unpredictability or non-determinacy: A certain operation de- 
pends on the results of either A or B, but A and B are concur- 


rent: the final result may depend on whichever occurs first. 


Petri Nets are a formal mathematical tool. They rely on a graph- 
ical representation of dependencies such as those described above, and, 
in a more general sense, are used to represent a system described by 
events whose occurrences depend on certain conditions and change those 
conditions. The notions of deadlock and unpredictability presented above 
correspond to the precisely defined properties of liveness and safeness 


of Petri Nets. 


The mathematical analysis of Petri Nets in their full generality 
has not yet been very successful, but certain restricted classes are 
now well understood. This thesis shows important results for the class 
of Free Choice Petri Nets, a subclass of Petri nets, and solves the 
deadlock and unpredictability problem for a restricted class of systems 
called Production Schemata. 

The concept of Systemics as a science is due to Holt (Information 
Systems Theory Project), who extended and applied the ideas of Petri. 
Petri Nets were introduced by Petri in his dissertation in 1962 [18] and 
modified to their present form by Holt in 1968 [10]. 

The idea of first studying a limited subclass of Petri Nets to ob- 
tain a better understanding of more general Petri Nets is due to 
Genrich [9], who introduced Marked Graphs to study concurrency. 

Extensive mathematical results about a subclass of Petri Nets known 
as Marked Graphs have been published by Holt and Commoner [12]. In that 
publication, Marked Graphs have also been used to represent a subclass of 
Production Schemata, namely those without decision branches or conflicts. 

Research on this thesis was prompted by a comparison of Rodriguez's 
Parallel Program Graphs [19] and Marked Graphs. Both formalisms express 
the same kind of determinism, but Rodriguez's Graphs allow for branching. 
Attempts to model branching by a method as similar in structure as pos- 
sible to Marked Graphs led to the definition of Free Choice Petri Nets. 
The works of Karp and Miller [13], Muller and Bartky [14], Baer, Bovet, 
and Estrin [1 ], Slutz [21] were in different degrees relevant to research 
in the early stages of this thesis. In particular, Muller's concept of 
semimodularity is related to the behavior of safe Petri Nets, and the al- 
gorithms of Baer, Bovet and Estrin are of interest insofar as their 
"directed acyclic bilogic graphs" are structurally the same as acyclic 
Free Choice Petri Nets. 

Among the references listed in this thesis are several other publi- 
cations about Petri Nets. These include several applications of Petri 
Nets, notably Saint and Shapiro for representing algorithms [20], and 


Dennis for representing control structures in digital computers [6]. 


Description of Petri Nets and Production Schemata 
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CHAPTER 1 
Petri Nets 


1.1 Definition 


A Petri Net is a directed bichromatic graph with an initial marking. 
The two distinguished types of vertices are called places and 
transitions. A marking is a function which associates with each 
place in the Petri Net a non-negative integer, called the token 


load of that place, or the number of tokens in it. 


A simulation of a Petri Net is a sequence of firings of transitions, 
only firable transitions may fire at any time, and a transition is 
firable if and only if all its immediate antecedent places (input 
places) have a positive, non-zero, load in the present marking. 

(A place with one or more tokens is marked, a place with no tokens 
is blank.) The firing of a transition changes the marking by 
decrementing the load of each input place by one and by incrementing 


the load of each immediate successor place (qutput place) by one. 


. A Marking M' is said to be reachable from marking M if there exists 
a firing sequence which transforms marking M into M'. The marking 
class of a Petri Net is the set of all markings reachable from the 


initial marking. 


Graphically, we represent places by circles and transitions by bars. 


Dots in places represent the tokens of the marking. 


Example: 
P 
Py 1 
P Pp 
2 2 t 
P 

P3 3 

before the firing of after the firing of 


transition t. transition t. 
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1.2 Liveness and Safeness 


The most important properties of Petri Nets are liveness and 


safeness. 


A transition t is live at marking M if, for every marking M' that 


can be reached from M, there exists a firing sequence which fires t. 


Example: 


In this example, t) and t, are live, but t3 is not live, because if we 


fire t3 we reach a marking with only one token, and no firing sequence 


can possibly get two tokens back on the net, hence t, cannot be fired 


again. 


. If every transition in a Petri Net is live, the Petri Net is live. 


An example of a live net is: 


ey [+ )—| a) 


is live because it can fire at any time: it has no blank input place. 


ct 


is live because, for any marking, t,t, is a firing sequence. 


IN 
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A place p is safe at marking M if every marking M' that can be 


reached from M has at most one token on p. 


Example: 


Py 


Py and P» are safe; Ps is not. 
A Petri Net is safe if every place in the net is safe. 


A Petri Net is said to be live and safe, or LS,if it is both live and 


safe at the initial marking. 


In a safe Petri Net, a place is either blank or has one token. We 
can say that a place represents some condition which either holds or 
doesn't. A firing of a transition then terminates the holding of those 
conditions that enabled the transition, and begins the holding of other 
conditions: In this context, we say that an event, represented by the 


transition, occurred. 


1.3 Syntactical Subclasses 


The structure of Petri Nets in full generality, as defined above, is 
very rich, and it appears difficult to fully understand the relationships 
between the structure of the net (properties such as strongly connected, 
for example) and the behavior of the net (liveness or safeness, for ex- 
ample). Hence we approach the problem by analyzing first certain re- 


stricted subclasses of Petri nets. 
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Definitions 


Presently we distinguish the following subclasses: 


- State Machines (SM) 
ooneeked Graphs (Mc) proper subclasses 
- Free Choice Petri Nets (FC) 
- Simple Petri Nets (SN) 
- Petri Nets (PN) 


We say syntactical subclasses because of the fact that whether a 
given Petri Net belongs to a subclass or not is decided by the 


local structural configuration of the Net. In short, we have: 


local configuration 


- SM: every transition has 
exactly one input 
place and exactly 


one output place. 


- MG: every place has ex- 
actly one input 
transition and ex- 
actly one output 


transition, 


- FC: every arc from a place 
is either unique out- 
put of a place or uni- 
que input to a transi- 


‘tion. 
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- SN: every transition has 


at most one shared 


input place. 


- PN: no restriction. 


The following figure shows the inclusion relations among the subclasses: 


FC 


=16= 


It can be seen that State Machines have the same structure as the 


familiar Finite State Automata or Sequential Machines, but uninter- 


preted in the sense that we do not associate input or output symbols 


to the transitions (state-transitions in Automata Theory language). A 


token in a place corresponds to the Sequential Machine being in the 


corresponding state, assuming there is only one token in the net. 


Mathematical Properties: A first approach to the basic concepts 


1.4.1 Overview 


The mathematical properties of Petri Nets we are most interested in 
are the relations between liveness and safeness of the Net, or 


parts of it, and structural properties such as connectedness, cov- 


ered by State Machines, decomposable into Marked Graphs. 


Holt and Commoner have extensively studied the mathematics of 


State Machines and Marked Graphs [5, 12]. 


We shall focus our attention on Free Choice Nets. The most 
important result is a Theorem that states necessary and sufficient 
conditions for the existence of a live and safe marking in a Free 


Choice Petri Net. 


To date, Free Choice Petri Nets are the largest class of 
Petri Nets for which such necessary and sufficient conditions are 


known. 


1.4.2 Liveness and Safeness in Free Choice Petri Nets 


Important preliminary contributions to this topic are due to 
Fred Commoner, and include the definition of Traps and Deadlocks, 
as well as a Necessary and Sufficient Condition for Liveness of 


Free Choice Petri Nets. 
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A Deadlock is a set of places in a Petri Net such that every 
transition which puts a token on some place in the set re- 
quires at least one token from some place in the set. This 
implies that if a deadlock is blank (i.e. contains no tokens), 
it will remain blank for every possible firing sequence. This 
is intuitively bad for liveness, since every transition having 


an input place in a blank deadlock will have no chance of firing. 


Example: 


The bold face places 
form a deadlock. 


Note that a deadlock in the Petri Net sense is a deadlock in 
the usual sense only if it is blank; potential deadlock might 


be a better name for the deadlocks defined above. 


A Trap is a set of places such that every transition which takes 
a token from the set puts at least one token back into the set. 
Hence once a Trap is marked, i.e. contains at least one token, 
it will always be marked, no matter what firing sequences take 


place. 


Note that if a Deadlock contains a marked Trap, it will never 
become blank, and the threat to liveness described before does 


not exist: This is the "good" situation. 
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Example of a Trap (bold face) 


Traps and Deadlocks are not exclusive: For example, 


every strongly connected Petri Net is both a Trap and a Deadlock. 


Commoner has proved that a Free Choice Petri Net is live if and 


only if every Deadlock contains a marked Trap [4]. 


- Consistent Subnets: Open and Closed 


A Subnet of a Petri Net is defined like a subgraph in Graph 
Theory [2], i.e. as a subset of vertices (places and/or tran- 
sitions) and the arc relation restricted to the vertices of the 


subset. 


Traps and Deadlocks are -- strictly speaking -- subnets by them- 
selves, but such a collection of places without the transitions 
that are connected to them is not very meaningful by itself. 


Thus we introduce the concept of a Consistent Subnet. 


- A Consistent Subnet of a given Petri Net is 

either: a subnet consisting of a set of places and all transi- 
tions pointing to or from these places, called a 
Closed Consistent Subnet. , 

or: a subnet consisting of a set of transitions and all 


places pointing to or from these transitions, called 


an Open Consistent Subnet. 


“79s 


The distinction between Closed and Open comes from the fact that 
one type is connected to the rest of the net by sharing certain 
transitions, and the other by sharing certain places. We assume 
a place is more "open" than a transition hence an Open subnet 
has an "open" boundary of places, and a Closed subnet has a 


"closed" boundary of transitions. 


Deadlocks and Traps can be conveniently viewed as Closed Consis- 
tent Subgraphs, because they are defined as a set of places. We 


shall henceforth take this point of view. 


The union of Consistent Subnets is defined in the obvious way, 
so is the Covering of a Petri Net by a set of Consistent Subnets. 
Unless the Petri Net is very peculiar (having transitions without 
any input nor output places for example), if the union of the 
places of Closed Subnets is the set of all places of the Petri 
Net, the union of the Subnets is the whole Petri Net. In this 
sense we can speak of a Petri Net being covered by State Machines 


or by Marked Graphs. 


Let a minimal Deadlock be a Deadlock that does not properly con- 


tain any non-empty deadlock. 


We shall prove that a Free Choice Petri Net has a live and safe 
marking if and only if it is covered by strongly connected State 


Machines and every minimal Deadlock is a strongly connected 
State Machine, 


This empty page was substituted for a 
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CHAPTER 2 


Production Schemata 


2.1 Flow of Control and Flow of Objects 


In the introduction we described Systems in very general terms. 

We spoke of operations and dependencies of events on each other. One 
way to describe dependencies dynamically is to speak in terms of flow. 
We may, in general, speak of two sorts of flow: flow of control and 
flow of objects. 

Flow of control often has a very complex structure because it 
describes situations such as gathering information in different parts of 
the system and directing one course of action instead of another. To 
model flow of control by Petri Nets, we need at least the structural com- 
plexity of Simple Nets. 

Flow of objects, on the other hand, can be represented and analyzed 
by Free Choice Nets. We describe flow of objects in a System by Produc- 


tion Schemata. 


2.2 Definition of Production Schemata: Conjunctive Elements 


A Production Schema is a model for representing the flow of objects 


in a System. It describes operations on objects, and branching or 
merging of flow. 


An assembly operation takes as inputs all the parts needed to as- 


semble an object: The operation takes place only when all inputs have 


arrived; there is one path of flow per object. 


before assembly after assembly 


a 


We also have a disassembly operation: 


before disassembly after disassembly 


In a more general sense, we have operations with several inputs and 


several outputs: 


TT alg \& 


before after 


These operations are described by conjunctive nodes because input 
flow and output flow are conjunctive: all input objects are needed to 
initiate the operation, and all output objects are produced each time 
the operation terminates. 

Before we present more elements of Production Schemata, we shall 
emphasize two points: Timing, and accumulation of several objects in 


one place (input arc to an operation, for example). 
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Timing, in the usual sense of a description of the upper and lower 
bounds of delays, is a "bad word" in our context. We wish to represent 
all constraints structurally in our model. This means that if a certain 
system contains timing constraints, these will show up as structural con- 
straints in the model which is itself strictly asynchronous. This is 
possible because we can model the flow of metered time by a "clock," a 
certain event which happens, by definition, every t seconds. The struc- 
ture of the model is then such that if a certain event must (by specifi- 
cation) occur between, say, the Po tick (since some time origin) and the 
ae tick, that event depends (structurally) on the a tick, but the tae 
tick depends on it. This way we can model situations like: "If item A 
has not been used after four hours, discard it." 

Had we chosen a synchronous model, with metered time, it would be 
very difficult indeed to represent asynchronous systems, and the cause 
and effect relationship among events. Moreover, it seems that even in 
the case of synchronous systems, we gain more insight into the system by 
explicitly representing all constraints on the events in the system in an 
asynchronous model. 


Now consider the following situation: 


Operation C gets its inputs from A and B. One object, a, has arrived 
from A, and C is now waiting for an object from B to proceed. But before 


this happens, A produces another object, q'. 


This 


ah 
og 


finally, B pro- 
duces object B. 


Now, should C use @ and B, or q' and B? If qw and w' were undistinguish- 
able it would not matter, but we intend to keep our model as general and 
uninterpreted as possible and must assume that all objects are distin- 
guishable (cf "free interpretation" in program schemata [15]). We could 
require the link to preserve order (and hence mate B to qw), but this can 
be modeled independently by a pipeline, which we shall introduce below. 
We therefore let this situation be undesirable, i.e. express a malfunction 
of the system, and shall analyze it as such. It reminds us of course of 
unsafeness in Petri Nets, and, in most systems, can be thought of as a 
malfunction leading to unpredictability and non-determinacy. 

To represent a system where one part may produce at times more ob- 
jects than are consumed by another, we need a buffer, or pipeline, and 
usually the capacity is specified; in particular we do not expect infin- 
ite queues. Then, a pipeline that can hold up to, say, 4 items and de- 
liver them in order, can be represented by the following arrangement, 


which works like a bucket brigade: 


co 
2 


' 
g 


B has just pro- 
duced output and 
| is ready to re- 
Wee more input 


\ 
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We have 4 cells. Each cell either contains an object on the top link, 
or a message on the bottom link. The message says actually two things, 
depending on the point of view: "Ready to receive another object," and 
"Previous object has just been delivered." These messages constitute 
what Holt calls "“backflow'' in Marked Graph models for Production Facili- 
ties [12]. It is of course debatable whether we should consider this 
flow of messages as flow of objects rather than flow of control; but in 
some systems all objects might effectively be messages, and, more im- 
portantly, we may consider a warehouse as an operation taking as input 
an order form, and giving the requested object as output. This approach 
obviates the need for special input or output nodes: An input node is an 
operation which produces an object upon receiving a request, and an out- 
put node is an operation which produces a receipt, or acknowledgement, 
upon delivering to the "outside world" an object received as input. The 
important fact is that such messages are treated in a strictly local man- 
ner, just like other objects, and only the producing and receiving op- 
erations are "aware'' of its existence, as opposed to control information 
described in 2.1. 

So far, we have described exactly the same class of Systems as have 
been represented by Marked Graphs in "Events and Conditions," by Holt and 
Commoner [12]. We present next those elements which introduce decisions, 


switches, and permit the representation of a larger class of Systems. 


2.3 Definition of Production Schemata: Disjunctive Elements 


If we want to represent a situation where an object produced by A 
flows either to B or to C, depending on circumstances (nature of the ob- 
ject, for instance), we need a new element whose outputs are disjunctive: 


It acts as a switch: 


296% 


before 


switch 


cou aa 
rae 


Also, if a certain operation gets its inputs from exactly one of 
several possible sources, we need an element with disjunctive input, 


sort of a reverse switch, or collector: 


& 


before after 
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Of course, nothing a priori forbids us to consider a more general form 


of a switch: 


before after 


These elements differ from operation elements by the fact that: 


- they have disjunctive input and output, 
- there is only one object flowing through at a time, 


- the object flows through unchanged. 


In particular, this means that the following transformation cannot take 


place in one step. 


a; 


step 1 


(incorrect) 
phase 1 phase 2 
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Instead, it involves two steps, which can occur in either order: 


step l step 2 


phase 1 phase 2 phase 3 


But we could also have the following: (and in the free interpretation 


we must consider this along with all other possibilities). 


unsafe 


This leads to a situation we chose to consider a malfunction, possibly 
leading to non=-determinacy. One of the objectives of this thesis is to 
guarantee structures such that if a collector element receives an object 
on one input, no object can possibly show up on any other input until 
the first object has been delivered to the next element following the 
collector. 

We shall conclude this section by giving an example of a structure 
leading to deadlock, a structure leading to unsafeness, and an example of 


a structure without malfunctions. 
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Example 1: Two paths, originating 


conjunctively and joining dis- 


junctively, create possible un- 


safeness at the input to B. 


ee 
Example 2: Two paths, originating 
disjunctively and joining conjunc- 
tively can lead to hang-up on A: 
If all objects are switched down 
the left path, the right input 
: will never get an object, and A 


' cannot operate. 
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Example of a Well-Formed Production Schema. 


catalyst 


output the 
result 


activity 
restorer 


eatatysig 
solution 


recover 
atalyst 


concentrated 


test for correct composition 


restore 
activity 
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2.4 Representing Production Schemata by Petri Nets 


At this point, the reader has certainly noticed the similarity be- 
tween objects and tokens, operations and transitions, links between 


elements and one-input-one-output places, and disjunctive elements and 
multiple arc places. The correspondence is straightforward: 


Production Schema Petri Net 


Production Schema Petri Net 


We note that, in Production Schemata, objects (tokens) are on the 

links, but in the Petri Net, tokens are always on places. This is es- 
pecially illustrated in example d). There are two Petri Net firings as- 
sociated with the switch (or collector) element, and there seems to be 
an intermediate step where the object is "inside" the switch. This is 


perfectly acceptable, and the switch or collector element could well 


a 


have been defined that way. We could also model an operation as fol- 


lows, if we wish: 


initiate operation operation 
operation in progress 
terminate 


Semantically, this is even quite attractive, but it does not in any way 
change the structure of dependencies that we wish to analyze. 
On occasion, we might wish to contract the representation of the 


switch or collector element: 


es 
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We could even go one step further, though it may be questionable on 


semantic grounds: 


But in no case can we suppress the "auxiliary" transition q and place 6, 
because this would make the structure essentially different. As long as 
a and B are there, a token can be switched towards D and, after that, 
will have to wait for D to receive its other input, and fire. If, how- 
ever, we remove q and B, the token could at any time be "stolen" or 
leaked away towards C; the switching decision would not be necessarily 
final as in the original net. This distinction is fundamental to the 


concept of Free Choice Petri Nets: 


Every Production Schema can be represented by a Free Choice 


Petri Net. 


Conversely, every Free Choice Petri Net represents a Production 


Schema, if we allow contractions as discussed above. 
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The desirable properties for a Production Schema are: 


- determinacy, predictability 
- no hang-up states under any conditions of operation. 


The first property has been associated with unsafeness in Petri Nets by 
definition of our formalism, the second property is clearly related to 


liveness in the representing Petri Net. We therefore define: 


A Well-Formed Production Schema is a Production Schema rep- 


resented by a Live and Safe Free Choice Petri Net. 


This empty page was substituted for a 
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PART TWO 


Mathematical Analysis of Free Choice Petri Nets 


This empty page was substituted for a 
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CHAPTER 3 


Formal Definitions and Notation 


This chapter provides the formalism for the concepts introduced in 


Chapter 1, 


3.1 Petri Nets 


Definition: A Petri Net is a triple (Tl, ¥, » where 
ll is a non-empty set of places 
is a non-empty set of transitions 
is a relation; it corresponds to the arcs in the 
directed bichromatic graph; the set of vertices is[T.UDx. 


We have: - ©¢ (xx) U @ x fl) 


Notation: (x, y? € * is written as x+y 
fylx-y} is written as x’ 
fy |y-x} is written as ‘x 


We also apply the dot notation to designate the successor 
set of a set of places or transitions. 


Example: P¢ J P’ = {x|dy € P and y-x} 
Def. A Marking is a function M : Tl + IN (non-negative integers) 


Def. <A Firing is a partial function from markings to markings. 
There is a firing associated with every transition t € ¥; 
t is said to be firable if its firing function is defined 
at the given marking M of the net, and the firing yields 
marking M'. We write this: M[tyM'. The firing associated 


with t € © is such that: 


Vp e a=. M'(p) = M(p) - 1 
Wpeéet’ - ‘t M'(p) = M(p) + 1 defined only if: 
‘pie. ME He M'(p) = M(p) Vp € “t M(p) > 0 


£. 
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A firing sequence o is a string over transition names and, 
as a function over markings, the composition of the firings 


of the transitions in the order they appear in the string. 


We shall say t € o if t is fired at least once ino. We 
say that M leads to M' via o, and write M[o>M', or 
M' = Mio? if o, as a partial function, is defined for M. 


The set of firing sequences is denoted by r*. 


> 
The forward Marking Class M of a marking M is the set of 


markings which can be reached from M via some firing sequence: 


M = (M' | do € 5* and M[oyM') 


The concepts of liveness and safeness are defined as follows for Petri 


Nets: 


Def. 


Corollary: 


A transition t is live in a given marking if and only if for 
every marking in the marking class there exists a firing se- 


quence which fires that transition. 


t€x live at M : (WM" EM) (Ho €r*) such that: 
M'[o7? exists (i.e. o, as a function, is 


defined at M') and t Eo. 


A marking is live if and only if every transition is live at 


that marking. 


A place p is safe if and only if for every marking in the 
given marking class the load on p is not greater than one. 
+» 
p € Il safe at M : wM' €M M'(p) < 1 
A marking is safe if and only if every place is safe at that 


marking. 


If a transition is live at marking M, it is live at any 
= 

M' €M. If a place is safe at marking M, it is safe at any 
> 

M' €M. 


Pale 


Def. A subnet of a Petri Net (7, ¥, -7 is a Petri Net 


Cr, oO ‘stch that? Whe 7 
ee 
(o is the restriction of -) o=-NG'xco' UL'XI') 
Short notation for a Petri Net (1, yr, -> : (0, =D 
This can be used whenever ° is clear from context. Thus, if we 


say that (II', s'> is a subnet of (Il, r>, it is understood that the 
are relation for (TI', s'? is the restriction of the relation for 
(Il, >to the set of vertices I' Ux'. 
Example: (—, 5, > where: 

Tl = {Pos Py> Po» Py} 


m= {t), ty} 


H 


{pos ty), (Pos tos (ty, Pprs (tps Pors (Eos P3>) 


fold 


p 
: 3 
1 
Po 
Py 
2 Po 
expressed as: Be ty ty) " Py 
Pi” ty etc. 
also: a = {t|p - th pél, t€z 
‘p= {tlt - p} 
t’ = {plt - p} 
if PcTl, then P* = {t|7pe€P and p - t} 
Hence, in example above: Ps = {t); ty} 


3.2 


3.3 


Be Ay oo 


Formal Definition of the Subclasses 


Definition: A State Machine (SM) is a Petri Net (Il, 5, °> 
such that: ye € x [‘t] = [t°] = 1. 
(jal, where A is a set, is the cardinality of the 
set A). In other words, each transition has exactly 


one input place and one output place. (cf Chapter 1) 


Definition: A Marked Graph (MG) is a Petri Net (71, 5, > 
such that: Yp € TI: |*p| = |p'[ =1 


Definition: A Free Choice Petri Net (FC) is a Petri Net (11,5, °> 
such that: (¥p€il) (vt Ex): p.t = p’ ={t} or “t = {p}, 
i.e. an arc from a place p to a transition t either is 
the unique output arc of p or the unique input arc to 
t. 


—_ 


Traps and Deadlocks 
In a Petri Net (I, r>, 


Definition: A Trap is a subset of places T ¢ [] such that T° c ‘T, 
i.e. every transition having an input place in T must 


have an output place in T. 


Definition: In a Petri Net (]], => a Deadlock is a subset of places 
D¢&TII such that “Dc D*, i.e. every transition having 


an output place in D must have an input place in D. 


In a strongly connected Petri Net (Il, ©>, it is clear that we have 


‘Tl = Il' = x5, hence it is both a trap and a deadlock. 


Terminology: a set of places P ¢ [| in a Petri Net (fl, £? with 
marking M is said to be 
- blank, if no place contains a token: Yp€P: M(p) =0 
- marked, if some place contains a token: Hp€P:M(p)21 


- empty, if it is the empty set: P = @ 
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CHAPTER 4 
Necessary and Sufficient Conditions for Liveness and 


Safeness in Free Choice Petri Nets 


4.1 Commoner's Liveness Theorem 


Commoner solved the problem of deciding whether a given marking in 
a Free Choice Petri Net is live by proving that a necessary and suffi- 
cient condition for liveness is that every deadlock contain a marked 
trap. The proof we give here follows very closely the original proof 


of the theorem. 


4.1.1 Sufficiency Condition 


First, we prove the sufficiency condition, namely that if every 
deadlock contains a marked trap, then the marking is live. Lemma lL 
establishes the influence of blank deadlocks on possible firings, and 
can be regarded as a mere technical preliminary to Lemma 2. Lemma 2 is 
phrased in a way as to directly lead to a proof by induction on the size 
of a subset of transitions. If the subset includes all transitions, 
Lemma 1 is applicable and provides the basis for the inductive proof. 

If the subset contains only one transition, the lemma expresses a suf-~ 
ficient liveness condition for that transition. Theorem 1, the suffi- 
ciency condition for liveness in Free Choice nets, follows immediately 


from Lemma 2. 


Lemma_1: Ina Petri Net (Il, x}, let Mc Tl be the set of blank places, 
+ 
and Mt < Tbe the set of marked places (T] = vie UM). 
Let W <x be a subset of transitions. 


Then “(WA M°) © W-> either: some t firable in W 
(i.e. te EW: “tec M’) 


or: @ blank deadlock D: Wc D’ 
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Proof: Assume no t firable in W: -~(at € W and ‘tc Mt) 
i.e: Ve(t ¢ Wor ‘t¢M) 
then we get yt: t€W= ‘tn ¢¢ 


Vt: t€waete (Ctenm): 


hence Wwe CwnM’y’ 
But (WOM) CW by hypothesis: (WOM) is a 
blank deadlock. 
Example: 


W= {t), ty, t,) 
CWAM) = (t, t,) 
blank deadlock: {P5, P53 


Lemma 2: In a Free Choice Petri Net (I, 5), with marking M, let Wor 
be a subset of transitions such that no firing sequence fires 
any transition in W. Then there exists a marking M' reach- 
able from M such that there is a blank deadlock D ¢ M'® and 
WcD*. 


aie 


Proof: By induction on the size of (x - W). 
Basis: lr 7 w| = 0 
Then W =. Since % is the set of all transitions in the net, 
“CwWwNn M) ©W iis trivially true. Therefore Lemma 1 applies 


directly to show that, if no transition can be fired in W, 


there must be a blank deadlock D such that W ¢ D*. 


inductive Step: Is - w| > 0 


Let the initial marking be My = M. We shall construct a 
firing sequence leading successively to the markings 

M,,M,,-..M.,...M' such that, at M', we have a blank deadlock 
L 2 i? 3 2 


D&M’? and W < D, 


a) We shall show that no firing sequence fires any 
transition in Cie: For suppose there is a transition t, €W 
and a place Py € ‘ty such that some transition ty € Po can be 
fired by some firing sequence. Since no firing sequence fires 


t., by hypothesis, we must have ty € Ps -Ws: 


places transitions 
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But then Po has several output transitions, and by the Free 
Choice hypothesis, if t, can be fired t, can also be fired, 
which contradicts the hypothesis that no firing sequence 


fires any transition in W: 


* No firing sequence fires any transition in (‘W)°. 


b) Let the present marking be M, . There are two cases: 


Case 1: “Cwm cw 


places transitions 


In this case Lemma 1 applies. Since, by hypothesis, no firing 
sequence fires in W, there must be a blank deadlock 
D=°*C(WN ot) such that W ¢ D°, which proves Lemma 2 with 


M' = M.. 
i 


aie T= 


Case 2: “(WO mM) ¢ W 


‘ ee «7 fo) 
Then there exists a transition t € “(WON M.) - W: 


places transitions 

There are two subcases: 

Case 2.1: No firing sequence fires t. 
Then, let W' = WU {t}. No firing sequence fires any transi- 
tion in W'. But |y - w'| = ba - w| - l: By the inductive 
hypothesis, there must exist a firing sequence o leading to 
a marking M' = M, [o) such that there is a blank deadlock 
D&M" and w' cop’. Then, since W ¢ W', we have proved 


Lemma 2 with marking M' and deadlock D. 


Case 2.2: There exists a firing sequence o which fires t. 
Let Mey = M.[o). Since, because of a), o does not fire any 
transition in ('W)°, we have: CwoM) oa CwnM,,)- Then, 
since t fires into ‘WN M, and o does not fire in (‘W)’, we 
have: “WO | < |“w n Me |. 

We repeat the argument at marking May: 
have to apply case 2.2, the size of (WQ i) decreases, we 


Since, each time we 


must eventually terminate at case 1 or case 2.1. 


q.e.d. 
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transitions 


Case 2.2 
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From Lemma 2 we deduce that if no deadlock can ever be blank, there 
must always be a firing sequence that fires any given transition. 

(Take W = {t}). But if a deadlock contains a marked trap, since the 
trap will always contain at least one token, the deadlock cannot be- 


come blank: 


Theorem 1. If in a FC net every deadlock contains a marked trap, then 


the net is live. 


(Sufficient condition for liveness) 


4.1.2 Necessary Condition. 


We want to prove that in a live FC net, every deadlock must contain 
a marked trap, i.e. if the maximal trap in some deadlock is blank, there 
must exist a killing sequence, that is, a firing sequence leading to a 
marking where some transition can never be fired again. 

Such a killing sequence can be obtained by making a certain choice 
ahead of time of the exit of multiple-output places: This selection is 
called an allocation. More precisely, we shall define an allocation on 
a set of places as a function which associates exactly one of the place's 
output transitions with the place. An allocation is circuit-free if 


there is no closed path through allocated transitions only. 
Definition: 
« An allocation A on a set of places S is a function: 
A: S+S° 
such that Yp € S: A(p) € p’ 
- An allocation A is circuit-free if there does not exist a path 
Po? ty Py» th» roe Pio tC of places and transitions such that: 
A(p,) = ty Prag © fy Poe es 


: The set of allocated transitions is {t|Gp € S and t = A(p)}, 
denoted by A(S) 
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* The set of excluded transitions is 
{t € S'|vp € ‘t p€S=t # A(p)} 


denoted by A(Ss) 


Note that A(S)  A(S) = 9 
A(S) U A(S) = S° 
Hence A(S) = S° - A(S) 


The objective of the proof is to show that if some deadlock contains a 
blank trap, we can construct a killing sequence that does not put a 

token on the trap. First, we show the existence of an allocation that 
prevents the trap from getting a token, then we prove that this alloca- 


tion permits us to kill the net. 


Lemma 3: Given a set of places Q ¢ JI and the maximal trap T in Q, there 
is a circuit-free allocation A: (Q - T) ~ (Q - T)° of Q-T 


that does not allocate into the trap, i.e.: 
YPE Q-T) :A(p)€ 'T, or: AQ-T)N “T= 


The maximal trap is the largest trap, or the union of all traps, in Q. 


It may be the empty trap, i.e. there may be no trap in Q. 


Proof: By induction on |Q - TI. 


* if Q =T, the empty allocation ¢ +» @ satisfies the conditions 


trivially. 


+ assume |Q - T| > 0: ap, €Q-T 
be nans 
at, = Po 


since Po is not in the maximal trap. 


Hence, T is the maximal trap in Q' =Q - {p,} . By inductive 
hypothesis there exists a circuit-free allocation A' of Q'-T 
such that 

A'Q'-T)N “T=¢ 


Lemma 4: 


Proof: 
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Let A: (Q- T) » (Q - T)° be the allocation whose restric- 


tion to Q' - T is A' , and which assigns t, to Py: 

Wwe Oe Ty pee, = Ay = Ae) 

pS pe a BD) =e 

AQ - 1) =a'@Q@'- 1) U (t,) 
Since A'(QQ' - T) N ‘T=@6 
and tS N9Q=6 = to ¢ T 
we have AQ-T) nN ‘T=¢@ 
A does not allocate into T . Now suppose A is not circuit- 


free. Then, since A' is circuit-free, any circuit of A must 


contain the c : ‘ = : arc - ¢ 
in the ar Py ty But tS NQ=¢6 the Py 


is not part of any circuit in Q , hence in Q-T. 


oO 


Allocation A satisfies the conditions of Lemma 3. 


q.e.d. 


If the maximal trap T in any deadlock D of a Free Choice net 
is blank, there exists a firing sequence which leads to a 


marking where no transition of D’° is live. 


Let A: (D- T) > (D - T)° be a circuit-free allocation of 
D- T such that A(D- T) 0 ‘T=6 .. Such an allocation exists 
by Lemma 3. 

Let us call a firing sequence that does not fire any ex- 


cluded transitions an A-sequence: 


o is an A-sequence a Wt €o &¢-Ato-=. 1 
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Then: - no A-sequence puts tokens on T: T remains blank 
(A does not allocate into T and D is deadlock). 
- no A-sequence fires in (D- T)° - A(D - T) 
fexcluded transitions A(D - T) J 


- no A-sequence fires in T° since T remains blank. 
hence: no A-sequence fires in T° U [(D- T)° - A(D- T)] . 


Let B be a set of places in D-T: BE&D-T. 


claim: The only firings in an A-sequence that put tokens on 


B are those that fire in A(D- T): 


For B to receive a token, the sequence must fire in 
“B. But B¢D and “D¢cD , hence “BC D’. Since Tc D 
we have: Do = (D- T)° UT 


Hence “BCT U @W- TY 


But an A-sequence does not fire in T° U ((D - T)° -A(D- T)) , 
hence any firing of an A-sequence in “B must be in A(D- T). 
Now let B,={p € D - TIZ p'’ € D-T: p€ Cp'))'), 


i.e. B, is the set of "heads" of the circuit-free allocation. 
Since “BY f. ACD - T) = @ by construction, no A-sequence puts 
tokens on By » hence there is a bound on the number of times 


any A-sequence can fire in BS 7 


Now let B,,,={p € D-T|4# p’ € (D-T)-B, =p € (A(p'))'}. 
Assume te “Bea f} ACD - T) 


Then, we have: ap e€ B 7péet” 


i+l 
ap’ €D- T:t = A(p') 


This implies p € (A(p'))* 
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Hence, by the definition of Bey? 


pe Wie Ey & Be 
This implies that every such t must be in Bae 


: : q a 
Hence Bead 1 A(D T) ¢ A(B,) 


We know that any A-sequence can fire only a bounded number of 
times in Bo . Assume (inductive hypothesis) that any A- 
sequence can fire only a bounded number of times in Be ~ Et 
follows from “Baal NAD -T) ¢ AGB, ) that any A-sequence can 
put only a bounded number of tokens (cumulatively) on Bea > and 
hence can fire only a bounded number of times in Bear 
Now, we show that By S Bay 


Assume B, g Bey! There must be a place p€D- T such that: 


p¢ Baap i.e.: @ Py € (D- T) - Be 7 pe (A(p,))° 
PE By: te.5 Ppl EO fy - Be ope AG) 
Hence, we must have: Py ¢ Be 
Po C Pik 
That is to say: Bey g¢ Bs 


By repeating the argument for decreasing values of i, we get: 
Pe Reg Ree, 

But this leads to a contradiction: There must be a place 

p € D - T such that: 


péB,, i.e. Fp € W- T)- Bo: pe Ale,)) 


pe Boe ive. Ap'e€d-T >: p € (A(@p'))’ 


which implies both Ps € D - T and Py €¢D- T. 


This permits us to rewrite the definition of B. as: 


+1 


-54- 


Bigg BU ipe (D- T)-B,|dp' € (D-T)-B, =p € AG@'))*} 
Then By, - B, = 9 @ (D- T) - B, = @ or 


Vp € (D - T) - B, ap' € (D- T)-B. :peé (Ap'))° 


But the second alternative is impossible since A is circuit-free. 


Hence, since B, CB. c¢Dp-T 
1 i+ 


1 


Be4y = 38, 2 Be =D-T 


This implies that the sequence B, grows strictly until it covers 


all of D-T. In particular, D-T is some Bis and hence, by induction: 


Any A-sequence can fire only a bounded number of times in (D- T)° . 


Since no A-sequence fires in T° , and (D- T)’ UT’ =D’ >» we have: 


There is an upper bound on the number of times any A-sequence can 
fire in D°. Hence, there exists an A-sequence which leads to a 


marking M such that no A-sequence starting at M can fire in D*. 


The circuit-free allocation is shown in bold. 
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So far, we have not used the Free-Choice Hypothesis. Now we 
show that, in a Free-Choice net, every firing sequence starting at 
M is an A-sequence, and hence does not fire in D’. 

Assume there is a firing sequence ot, that starts at M and is 
not an A-sequence, but o is an A-sequence, i.e. ot, is the shortest 


non-A-sequence from marking M. Hence, we must have p € aes such 


that: 
Pp €- Deen T 
A(p) = t, #t, 
But then, by Free-Choice hypothesis: nee = [p} 
t, = {p) 
and (t, firable at M[o?) = (ty firable at M[c>) . But ot, is an 
A-sequence and ty € D’ : this contradicts our hypothesis that no 


A-sequence starting at M can fire in D’. 


This proves Lemma 4. 


Lemma 4 immediately implies: 


Theorem 2: If a Free Choice net is live, every deadlock contains a 


marked trap. 


Proof: If some deadlock does not contain a marked trap, its maximal 
trap must be blank: apply Lemma 4. 
From Theorems 1 and 2 follows 


Commoner's Liveness Theorem: A Free-Choice Net is live if and only if 


(Theorem 3) every deadlock contains a marked trap. 
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4.2 Safeness; Live-and-Safe Markings 


For our purposes, it is not very interesting to study safeness in 
non-live nets. For example, every Petri Net that has no zero- 
input transitions has at least one safe marking: The blank marking. 
Hence, the concept of Live-and-Safe is studied rather than safeness for 


its own sake. 


4.2.1 Definition of a Covering of a Petri Net 


Deadlocks and traps have been defined as sets of places. However, 
we also use sets of transitions associated with such sets of places, both 
in the definition “D ¢ D’° and in applications: cf. proofs seen so far. 
So, we define the concept of a consistent subnet defined by a set of 


places Q: 


Definition: A consistent subnet of a Petri Net (Il, x> defined by a set 
of places Q ¢ Il is the Petri Net (Q, ‘QU Q’>, i.e. the net 


consisting of Q and all transitions directly connected to Q. 


Consistent Subnet t 
Original net 4 defined by {P,.P) 4 


We also define the union of two consistent subnets defined by Q&T] 
and Q' c JI as the consistent subnet defined by Q U Q'. 
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Definition: A Petri Net is covered by a collection of consistent sub- 
nets if the union of these consistent subnets over the col- 
lection is the whole net, or equivalently, if every place 


is in some consistent subnet of the collection. 


We say that these subnets form a covering of the original net. 
Note that if Q is [a deadlock, it's consistent subnet is (Q, Q> 


a trap, it's consistent subnet is (Q, ‘Q>. 


4.2.2 A Necessary Condition for a Live-and-Safe Marking in a Free 
Choice Net 


The prototype of a live and safe net is a net where there is always 
only one token. Strongly connected State Machines, where every transition 
has exactly one input and one output place, have such one-token live and 
safe markings. We will show that the concept of one-token Strongly 
Connected State Machine (SCSM) is central to the discussion of Live and 
Safe Free Choice Nets. 

We shall first prove that if a Free Choice Net is live and safe, 
there must exist a covering of one-token SCSM's. 

First we note that if the net is Live and safe at marking M, the 
marking M' obtained by removing one token from M is not live. For if it 
were, we could get another stone on the place where the previous stone 
was removed, and hence the marking M would have been unsafe. (We must 
exclude here nets that have isolated places, i.e. not connected to any 


transition, this should not be a severe restriction however. ) 


Theorem 4: If a Free-Choice net is Live and Safe, there is a covering 
by one-token Strongly Connected State Machines: 
LSFC = covered by one-token SCSM's. 


Proof: a) Live and Free Choice = every deadlock contains a marked 
trap. 
Live and Safe: If we take one token away, the net is 


non-live, and some deadlock has a blank maximal trap. 
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(We need both the necessary and sufficient condition for liveness.) 


Hence: LSFC = every token is the unique token of the maximal trap in 


some deadlock. 


b) Suppose such a deadlock is not minimal. Then the token of 
the maximal trap will be in the maximal trap of some smaller 
deadlock. (There is only one token available, every dead- 
lock must contain a marked maximal trap, and the maximal 
trap of the smaller deadlock is contained in the maximal 


trap of the containing deadlock.) 


Hence: LSFC = Every token is the unique token of the maximal trap in 
some minimal Deadlock. 

c) Ina FC net, the consistent subnet defined by a minimal 
deadlock goes not contain a transition with more than two 
input places. If there were such a transition, its input 
places would have no other output transition (Free Choice). 
But then we could take away all but one input place and 
still have a deadlock: The deadlock was not minimal. 
Therefore, the number of tokens in the maximal trap of a 
minimal deadlock in a FC net may not decrease by any firing 


sequence. 


d) Now suppose the consistent subnet defined by the maximal 
trap in the minimal deadlock has a transition with two 
output places. If the net is live, every firing of this 
transition increases the number of tokens on the trap. But 


it cannot decrease: unbounded, hence unsafe. 


Hence: The maximal trap in a minimal deadlock of a live and safe Free- 


Choice Net defines a State Machine as consistent subnet. 


e) Suppose the maximal trap is not a deadlock itself. There 
@ must be a transition which puts a token on the trap without 


taking one away, hence liveness implies unsafeness, as above. 


~59- 


Hence: LSFC = every minimal deadlock is a trap and defines a State 


Machine. 


f) Suppose a minimal deadlock that is a non-strongly connected 


State Machine: 


But then, if AB is a deadlock, so is A, hence AB cannot be 


minimal. 
LSFC =» every minimal deadlock defines a SCSM. 


g) From b) and £) it follows that every token is the unique token 
in a SCSM. But the net is assumed to be live: any place can 


hold a token at some time. (We exclude nets with isolated places.) 


Hence: LSFC = covered by one-token SCSM's. 
q.e.d. 


4.2.3 Sufficiency Condition for Safeness in a Live Free Choice Net. 


Now we wish to prove that a one-token SCSM covering is sufficient 
for safety, and derive a necessary and sufficient condition for live- 


and-safeness of a Free Choice net. 


Lemma 5: In a Free Choice net that does not have a live and safe 
marking, every live marking is unbounded (some place col- 


lects an unbounded number of tokens). 


Proof: By hypothesis, every live marking is unsafe. From the live- 
ness theorem we know that if a marking M is live, so is the 
marking M' = Mf 1 obtained by removing, from every place, every 


token except one: Every trap remains marked. 
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Let M, be a live markings hence unsafe. We shall fire until 
we reach a marking M; E M, where some place has more than one 
token. We now paint, in every place, every token red except 
one, and pledge not to move the red tokens anymore. We con- 
tinue firing with the non-painted tokens, effectively we fire 
now in M, where M, = M’ nl. 

Since M) is live, it is unsafe; fire until My where some 
place contains more than one token, paint some tokens red, 
continue firing in H, where M, = M f. 1, etc. At each step, 
the number of red tokens strictly increases. But our pledge 
not to move them is perfectly consistent with the firing rule 
in Lo any marking in M, together with all red tokens ac- 
cumulated so far is a marking in H: H, is unbounded: there 


= 
is no bound on the number of tokens in the markings of M,- 


q.e.d. 


The above lemma only depends on the fact that liveness is deter- 
mined by places having tokens or not, in contrast to having a specific 
number of tokens. This property holds for FC nets but not for more 


general nets: 


This net is live (not FC) 


for one or more to- 


kens at place Py 
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But it is false for the following net: 


4.3 The Live-and-Safeness Theorem 


Theorem 5: 


If a Free Choice net is 


No live marking is safe, but 


the marking |M(p,) = 2 
1 
IM(@,) = 1 


is live, unsafe, bounded. 


But removing one token 
from Py kills the net. 
Surprisingly, adding one 
token to P> also kills the 


net! 


covered by Strongly Connected State 


Machines and has a live marking, it has a live and safe 


marking. 


Proof: The number of tokens on any of the covering SCSM's is constant 


for all firing sequences. 


Hence an upper bound for the number 


of tokens is the sum of the number of tokens over all covering 


SCSM's. 


it is counted several times.) 


(If a token is shared among several covering SCSM's, 


But then, by lemma 5, if there 


is a live marking there must be a live and safe marking. 


From the proof of Theorem 4 (necessary condition for safeness) it 


follows that in a live and safe Free Choice net every minimal deadlock 


is a SCSM. 


Conversely, a SCSM is always a minimal deadlock and con- 


tains a trap, namely itself. 


Hence: 
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Live-and-Safeness Theorem: A Free Choice net is live and safe if and only 
(Theorem 6) if it is covered by one-token SCSM's and every 


minimal deadlock is a marked SCSM. 


The following example shows the importance of the word marked 


SCSM: 


covered by one~-token SCSM's 
every minimal deadlock is a SCSM 


some minimal deadlock is blank 


not Live and Safe 


covered by one-token SCSM's 


every minimal deadlock is SCSM, 


and marked 


some minimal deadlock has 2 


tokens 


Live and Safe 
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Corollary: A Free Choice net has a live and safe marking if and only 
if it is covered by SCSM's and every minimal deadlock is a 


SCSM. 


Proof: The only-if part follows immediately from Theorem 6. Now 
suppose every minimal deadlock is a SCSM, hence contains a 
trap: The marking that has at least one token on each 
SCSM is live. Then, by Theorem 5, it has a live-and-safe 


marking. 


q.e.d. 


This empty page was substituted for a 
blank page in the original document. 


-65- 


CHAPTER 5 
Decomposition of Free Choice Petri Nets 


5.1 Well-Formedness in Free Choice Petri Nets 


In the Live-and-Safeness Theorem (Theorem 6) we used the concept 
of a covering by Strongly Connected State Machines. In this chapter 
we shall consider an algorithm for obtaining such a decomposition. 
There may be several possible coverings of SCSM's that satisfy the 
corollary of Theorem 6 (Existence of a Live-and-Safe Marking). Our 
algorithm will produce all such coverings. If the net has no SCSM 
coverings that satisfy Theorem 6, the algorithm will produce subnets 
that are not strongly connected, or not State Machines. This gives us 
yet another test for the existence of a Live-and-Safe Marking in a Free 
Choice net. 

For convenience, we shall call a Free Choice net that satisfies the 
corollary of Theorem 6 a Well-Formed (WF) Free Choice Net. This chapter 


then discusses various Well-Formedness criteria and tests. 


Definition: A Free Choice Petri Net is Well-Formed if it is covered by 
Strongly Connected State Machines and every minimal dead- 


lock is a Strongly Connected State Machine. 


Corollary: A Free Choice Petri Net has a Live-and-Safe Marking if and 


only if it is Well-Formed. 


FC: SLS «o WF 


5.2 Duality, Reverse-Duality; Open and Closed Consistent Subnets 


The decomposition algorithms and proofs in this chapter require the 
definition of some new concepts. 

If we compare the definitions of Deadlocks and Traps, or State 
Machines and Marked Graphs, we note a striking similarity: A Trap has 
the same definition as a Deadlock if we reverse all arrows, i.e. if we 


transpose, throughout the definition, the words input and output. A 
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Marked Graph has the same definition as a State Machine if we transpose, 
throughout the definition, the words place and transition. In the first 
case, we say that a Deadlock is the reverse of a Trap (and vice versa); 
in the second case, we say that a Marked Graph is the dual of a State 
Machine (and vice versa). 

If we now lock at the definition of a Free Choice Net, we observe 
that by transposing the words input and output (and also transpose to and 


from), and then transposing the words place and transition, we get the 


same definition: 


before: Every arc from a place to a transition is either the 
unique input are to a transition, or the unique output 


are from a place. 


after: Every arc to a transition from a place is either the 


unique output arc from a place, or the unique input 
arc to a transition. 


We express this by saying that the reverse-dual of a Free Choice Net is 
a Free Choice net. 


Formally, we have: 


Definition: + The reverse of a Petri Net (Il, £, °} is a Petri Net 


{m', =", o} such that there are two bijections o and 4: 


p:man' Vp en 
and p-t @ y(t) o p(p) 
yrrar' we € 
_ (arrow-reversal) 
a wa) 
x y &) 
b o(b) | 
y +) 
c o(e) 


primal reverse 


Definition: * The dual of a Petri Net (Il, ©, +) is a Petri Net 


(', o', o) such that there are two bijections » and »: 


o:ay' Vp er 
p> t @ op) © rt) 
iran! Wee) 
(place-transition interchange) 
a o(a) 
x i (X) 
b o(b) 
y VQ) 
c oc) 
primal dual 
Definition: * The reverse-dual of a Petri Net (fl, r, -) is the net 
(l', £', o)} such that there are two bijections © and \:: 
e:lay vp € Il 
p> t # #(t) o o(p) 
yrnoT] WEES, 
a o (a) 
x t &) 
o(b) 
y “(y) 
c o(c) 
primal reverse-dual 


It is clear that: | reverse of dual 


dual of reverse = reverse-dual 


dual of dual = primal 


reverse of reverse 


= primal 


reverse-dual of reverse-dual = primal 


(primal = the original net) 
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Lemma 6: The reverse-dual of | Free-Choice is Free Choice. 
State Machine is Marked Graph 
Marked Graph is State Machine 


Strongly connected is Strongly Connected. 


Proof: Let the primal be (fl, 5, -) 
Let the reverse-dual be (¥ (5), (il), 9) 
where ~ and ¥ are bijections. 
Then: (FC in primal) = (¥pE€ll Vt€r: pet @ p*={t} or -t={p}) 


But, in the reverse-dual, we get: 


pst @ y(t) . o(p) 


{t} = ‘p(p) = fy (t)} 


~ 
Ml 


"t= {p} @ H(t)? = (~(p)) 


hence: 4(t) o o{p) « “op (P) = {y(t)} or y(t) = {o(p)} 
p'-t' o» “°t' = {p'} or p'° = {t'} 
The three remaining points of the Lemma are trivial. 


Example 1: Strongly connected Free Choice net. This example happens 


to be self - reverse-dual. 


primal reverse-dual 
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Example 2: 


primal reverse-dual 


eae 


(both not strongly connected) 
State Machine Marked Graph 


We defined the notion of a consistent subnet defined by a set of 
places. The dual (and reverse-dual) notion of this is a consistent sub- 
net defined by a set of transitions, and consisting of these transitions 


and all places connected to them: 


Definition: A consistent subnet defined by a set of transitions Tc Yr 
of a Petri Net (7, ©) is the Petri net (°T UT’, T). 


We shall emphasize the distinction of the two kinds of consistent sub- 


nets by calling them closed and open respectively: 


Definition: + A closed consistent subnet is a subnet (Jl, ©) such that 


Y= ‘H UT’ (defined by its places) 


* An open consistent subnet is a subnet (fl, ©) such that 
T= “2 US’ (defined by its transitions). 
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The distinction takes its name from the fact that the former is separated 
from the rest of the net by a boundary of transitions, the latter by a 
boundary of places (more "open" than transitions). 


To every statement about a Free-Choice Petri net corresponds a 


statement about the reverse-dual net: 


primal reverse-dual 
place transition 
input (to) output (from) 
input are to a transition output are of a place 
covering by SCSM's covering by SCMG's 

(Strongly Connected Marked Graphs) 
Closed Consistent Subnet Open Consistent Subnet 
SM-allocation MG-alttlocation 
etc. 


Note also that the reverse of a trap is a deadlock, but we have no inter- 


pretation yet for the dual or the reverse-dual notion of a trap. 


5.3 Decomposition of a Free-Choice Net into a Covering of SCSM's 


We shall describe a reduction method which, given an FC net, con- 
structs all possible SCSM's that form a covering. The method is such 
that if the net is well-formed, every reduction yields a SCSM and they 
cover the net; if the net is not well-formed, some reduction will not 
yield a SCSM, or the reductions will not cover the net. 

We recall, from the proof of Theorem 4, that in a Free Choice net 
we can construct a minimal deadlock by choosing any one of the input 
places to a transition that has one output place committed to the dead- 
lock. So, to reduce the net to one of its component SCSM's we make 


such a choice ahead of time for all transitions. 


“The boundary of a subnet /7]', ©') in a net (fl, XU) is the set 
{x|x €T' UST’ and & U'x) 9 (HM -1') U @-5')) # G} 
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We shall therefore define an allocation of input places to transi- 
tions much like we defined an allocation of output transitions to 
places in the proof of Lemmas 3 and 4. Since we wish to construct 
state machines, we distinguish this allocation by calling it a state- 


machine allocation, or SM-allocation. 


IMPORTANT NOTE: We shall from now on interpret "strongly connected" and 


"sc" as "consisting of strongly connected components." 


Hence, a reduced net consisting of several disjoint but individually 
strongly connected State Machines (or Marked Graphs) will also be called 
SCSM (or SCMG). 


Definition: An SM-allocation over.a Free Choice net (Tl, ¥) 
is a function B:y +f] such that: 


Fee ye. BCE. t 


Given such an SM-allocation B we will now reduce the net to a SCSM 


(if possible) that does not contain unallocated places: 


Step 1: Delete all unallocated places. (I - B(Z)) 


Step 2: Delete all transitions that have all output places 
already deleted. 


Step 3: Delete all places that have at least one output 


transition already deleted. 


Repeat Steps 2 and 3 until neither is applicable anymore. 


What is left over is the reduced net. Each step eliminates some elements 
that would not be part of a SCSM consistent with the SM-allocation. 
Formally, we construct the sets of eliminated places cee and tran- 


sitions (E,) as follows, given an SM-allocation B on a FC net (fl, E): 
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Vp Ell “ce - {B(t)} < Ey (step 1) 
veers t° < 5 e te E. (step 2) 


Pn E. #QGo pe ED (step 3) 


Then the SM-reduced net is defined as the Petri Net (1- Es z -EL)s 


say (Q, Q,)- Hence: 
=fl-E 
Q 2 P 
Yee bie 


From the definition follows immediately: 
QA5'% Weg 
Q, 5% Q <Q 
and hence: 
Q, = 1 Q 
: a 


Now assume t’ (1) Q% = 6 
It follows that: t° ¢ E, 
t € EL 


t ¢ a. 


Hence: (t€Q) >= (t'° / a #4) > (Spe Q,' t€‘p) => (teE “Q,) 


i.e. Q ¢ “Qs 
Hence: Qs U Q S Q. S Q, 
13% Q = “Qe U ca (closed consistent subnet) 
: 6 t 
Cea (trap) 


Also, by construction, Yt ire nN Ql <1: (non-decreasing) 


Lemma 7: 
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An SM-reduction of a FC net is a closed consistent subnet de- 


fined by a non-decreasing trap. 


We shall now prove a sufficient condition for Well-Formedness in terms 


of SM-reductions of a FC net: 


Theorem 7: 


Proof: 


Tf every SM-reduction of a FC net is a SCSM, and they cover 


the net, then the net is WF. 


All that is required to prove is that every minimal deadlock 
(D, D’) is a SCSM. 


We know that because D is minimal in a FC net, 
veep” Teepe 


We say that an SM-allocation B and the corresponding SM- 
reduction are consistent with the minimal deadlock D 


if: we ED topDs= {B(t)} 


Such allocations exist because of the fact that |°t © Di =1. 
(Note that, since the deadlock is minimal, this implies 
B(D’) = D.) 

First, we show that the minimal deadlock D must inter- 
sect each SM-reduction (Q,° Q> consistent with D, i.e. that 
DO Qo # Oo. 

Assume the contrary: Df of = ¢ for every SM-allocation 


B consistent with D, whose associated SM-reduction is (Qo Qa. 


case 1: Yee D’ ies = 1 
In this case, every SM-allocation is consistent with D, 
hence deletes all of D (since, by assumption, D1 Q. = 9). 


This contradicts the fact that the reductions cover the net. 


case 2: Tt € D’ (| > 2 
O 


For any SM-allocation B' not consistent with D, let: 
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$ J 
BAG Py 
P} # PY (B' not consistent with D) 


Then, every SM-allocation not consistent with D (such as B') 
deletes Py (Step 1: Be is unallocated). But, by assumption, 
every SM-allocation consistent with D also deletes Py? 

The reductions do not cover: contradiction. 

Hence: Every minimal deadlock D intersects some SM-reduction 


(Q Q consistent with D: 


DN Q, #9 


Now, let p€ DN Q 
then: ‘“p ¢ D° because D is a deadlock. 


“pe Q because the reduction is a Closed Con- 


sistent subnet. 
also, Wt € “p: “tN D= B(t) € Qs? 


because the reduction (Q,° Q)» defined by SM-allocation B, 
is consistent with (D, D*°). 


Hence: “Cry AN DEQ nd 


By repeating this process for each place in “("p) along back- 
wards paths until D or a is exhausted (which must happen 
since D and Q, are minimal deadlocks -- the latter because it 
is SCSM -- and hence every place can be reached by a back- 
wards path) we get De a or QD ¢D. But since both are mini- 


mal deadlocks, we must have: 


Hence D is SCSM. 


q.e.d. 
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5.4 Decomposition of a FC Net Into a Covering of Strongly Connected 
Marked Graphs 


A Free-Choice Net can be considered as an extension of State Ma- 
chines by allowing Marked-Graph-type concurrency, or as an extension of 
Marked Graphs by allowing State-Machine-type conflict. Historically, 
this view is at the origin of the concept of Free-Choice nets. 

So far, we were concerned with the State-machine-like behavior of 


FC nets. But, noting that the reverse-dual of a FC net is also FC, 


2 
we shall now use this as a tool for analyzing Marked-Graph-related 
properties. 

We used SM-allocation reduction to get a decomposition into Closed 
Consistent Subnets. Now, we define Marked-Graph allocation as the re- 


verse-dual concept and use it to get Open Consistent Subnets. 


Definition: A Marked-Graph Allocation (MG-allocation) over a Free Choice 


net (I, ©) is a function 


Ace. a 


such that Y¥p € 1: A(p) € p’ 


This is exactly the type of allocation we used over a sub- 


set of places in the proof of Theorem 2. 


Now we define MG-reduction, given an MG-allocation A, by translating the 


definition of SM-reduction into the corresponding reverse-dual concepts: 


Step 1: Delete all unallocated transitions. 


Step 2: Delete all places that have all input transitions al- 
ready deleted. 


Step 3: Delete all transitions that have at least one input 
place already deleted. 


Repeat Steps 2 and 3 until neither is applicable anymore. 
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What is left over is the reduced net. Each step eliminates some 
elements that would not be part of a SCMG consistent with the MG- 
allocation. 

However, we can also interpret this reduction as the elimination 
of all those parts in the net that would not be active if we were to use 
the allocation as a choice for multiple-output places: We deliberately 
choose not to fire unallocated transitions (Step 1); if all token flow is 
interrupted to a place, that place becomes inactive (Step 2); and if 
some input place to a transition is inactive, that transition will be 
inactive (Step 3). This description is informal at best, but if we 
interpret "inactive" as "receiving only a finite number of tokens," or 
"firable only a finite number of times," it will be useful for proofs 
about liveness. 


Formally, we define the reduced net as follows: 


- Sets of deleted places Ey deleted transitions E.? 


vp ell p’ - {A(p)} s EY (Step 1) 
we €y ‘pc E. @ P E E, (Step 2) 
"tNE #6 ° tek. (Step 3) 


The MG-reduced net, via MG-allocation A, is the net (Q,° Q) 


where - E 
% - Pp 


Q.=5-E, 


As in the case of SM-reduction, we get by reverse-duality: 


Q.= Qe U Qe = Q. 3; Open Consistent Subnet 


P 
% = % 
vp |p’ n Q..| sl Conflict-free 


We have no significant interpretation yet for Q, c Qe: We summarize 


these facts by: 


Lemma 8: 


Pe 


An MG-reduction of a FC net is a conflict-free open consistent 


subnet. MG-reductions provide us with a necessary condition 


for well-formedness. 
If some MG-reduction of a FC net is empty the net is not live. 


If some MG-reduction is empty, the set of eliminated transi- 
tions E. and eliminated places ES form the whole net, for some 
MG-allocation A. Let us do the reductions step by step and 
check for possible firings of the eliminated transitions by 


A-sequences (see proof of Theorem 2). 


Step 1: No A-sequence fires any unallocated transition, by 
definition. We start building E. with transitions 


firable at most a bounded number of times. 


Step 2: Eliminate those places that have only deleted input 
transitions. By inductive hypothesis, these transi- 
tions can only fire a bounded number of times. 
Hence, these eliminated places can fire their output 


transitions only a bounded number of times. 


Step 3: Eliminate those transitions that have at least one 
input place deleted. By the explanation of step 2, 
they can fire only a bounded number of times: This 


supports the inductive hypothesis of bounded firabil- 


ity for a repetition of steps 2 and 3. 


Since all transitions will be eliminated by hypothesis, every 


A-sequence can fire each transition only a bounded number of 
times. 

Now let M be any marking, and let o be an A-sequence such that 
no transition is firable by an A-sequence starting at 


M' = M[o}. We just proved the existence of such an A-sequence. 


Lemma 10: 


Proof: 


78% 


By the same reasoning as used in the proof of Lemma 4, we show that 
every firing sequence starting at M' must be an A-sequence, i.e. 

no transition can be fired by any firing sequence starting at 

M'. For suppose some transition is firable at M'. It must be 

an unallocated transition ty € ae = {A(p)} for some Po? since 

it must be part of a non-A-sequence. But, by Free Choice 
hypothesis: ty firable o« A(P,) firable, which contradicts 

the assumption that no A-sequence can fire at M'. 


q.e.d. 


If some MG-reduction of a live FC net is not a SCMG, the net 


is unsafe. 


a) Let us consider the MG-reduction within the original net. 
Since each transition in the subnet has all the places con- 


nected to it both in the original net and in the subnet (open 


consistent subnet) a transition is firable in the subnet if 


and only if it is firable in the original net, and the effect 
of that firing on the marking is the same. Hence, if a 

firing in the subnet leads to an unsafe marking, the net is 
unsafe; if it leads to a marking where no transition in the 
subnet can be fired (A-sequence), then no firing sequence in 
the original net can fire any transition in the subnet; in this 
latter case, the same argument used in Lemma 4 and Lemma 9 ap- 


plies again. 


Hence: Net live = MG-reduction live 


MG-reduction unsafe =~ Net unsafe 


b) Now consider the MG-reduced net {Q, Q,? alone. Assume 
it has a live marking. We shall show it is unsafe if it is not 


a SCMG. 
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- if it is not strongly connected, it must be unsafe: 


(We must assume here that no transition t is such that t° =; 
but this is guaranteed if the original net does not contain 


such a transition.) 


- 1£ it is not a Marked Graph, it must contain a place p with 
more than one input transition, since more than one output 
transition is excluded by construction. Since Qe as Qe 
there exists an infinite backwards path from each input tran- 


sition to p, i.e. the backwards path ends in a loop. There 


are two cases; 


BG 
p 
ey. 
e 4 
f ‘ 
- the paths do not intersect: a 
Then liveness implies that ty a 
and ty be concurrently firable, . 
taal 
ae 2 


hence p is unsafe. aia 
A 
1 
‘ 
a 
‘ 
és 
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- the paths intersect. Then, since no place has several outputs, 


the paths must recombine at a transition: 


Again, liveness implies unsafeness. 


Hence: not SCMG 
=> unsafe 
live rs 


q.e.d. 


Lemma 11: If, in a Strongly Connected Free Choice net, every MG-reduction 
is strongly connected and non-empty, the reductions cover the 


net. 


Proof: If the transitions are covered, the places are covered because 
the reductions are open consistent subnets. Assume some tran- 
sition t is not covered, i.e. t is not in any MG-reduction. 


Since the net is strongly connected, we have: yt, |*t| 2 1. 


Case 1: |e] = 1. Then, if every reduction eliminates t, 
every reduction must eliminate ‘t, hence all of 
“('t) (Step 2 of reduction). If all t' € "(‘t) 
are such that |‘t'| = 1, repeat case 1 for some 


t'. If not, apply case 2. 


Case 2: [°c] 2 2. This case must arise at some time be- 
cause if not the search assumed in case 1 would 
exhaust the net, which contradicts the assumption 


that no reduction is empty. 
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But now, by Free Choice hypothesis, each place in “t ia a 
single-output place. If each reduction eliminates all of 


“t, repeat the argument for t' € °(’t) as in case l. 

Tf some reduction eliminates only part of “t, since it 
eliminates t there would be places without output transi- 
tions in the reduced net: not strongly connected. 

In any case, the existence of an uncovered transition im- 


plies the existence of either an empty or a non-strongly- 


connected MG-reduction. 


q-e.d. 


From Lemmas 9, 10, and 11 and Theorem 6 with the well-formedness 


colollary we get: 


Theorem 8: If a Free Choice net is Well-Formed, every MG-reduction is 


a non-empty SCMG and the reductions cover the net. 


5.5 The Well-Formedness Theorem 


We are now ready for the Well-Formedness Theorem, which includes all 
criteria for the existence of a Live and Safe Marking, including Theorems 


7 and 8 and their converses. 


Well-Formedness Theorem: In a Free Choice Petri net, the following are 
(Theorem 9) equivalent: 


a) The net is Well-Formed: 
{ every minimal deadlock is SCSM 


- there is a covering of SCSM's 
b) The net has a Live and Safe marking. 
c) The reverse-dual is Well-Formed. 


d) Every SM-reduction is a SCSM, the reduc- 


tions cover the net, no reduction is empty. 
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e) Every MG-reduction is a SCMG, the reduc- 
tions cover the net, no reduction is 


empty. 


Proof: 


Note: If a is a statement about a FC-net, let a’ be the same 


statement for the reverse-dual of the net. 


Example: c = a' 


a e b: Corollary of Theorem 6 
a => e: Theorem 8 


e © d', reverse-dual of e for the reverse-dual net, i.e. 
(e for primal) e« (d for reverse-dual) 


If the primal is such that every MG-reduction is a SCMG etc., 


the reverse-dual is such that every SM-reduction is a SCSM. 


' t 
¢ See : Theorem 7 
d' => ec 

for the reverse-dual net 


' > e : Theorem 8 
e' e» d : reverse-duality 


d > a : Theorem 7 


We have the following diagram: 


Primal Reverse-dual 


——— ~~: ' 
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The implication path is closed and hence gives us the equivalence 


1 
of statements a, b, c, d, e, a', b', d' and e'. 


Remark: Statement d is more complete than the one used in 
Theorem 7; the part "no SM-reduction is empty'' follows by re- 
verse-duality of the full statement of Theorem 8. It is not es- 


sential in the proof of this theorem. 


5.6 Examples of Decompositions 


We give below four examples of non-Well-Formed Free Choice Petri 
Nets. All four are strongly connected, but show different possibilities 


of structural unsoundness. 


Example 1: (Reductions shown are super- 


imposed in bold on the original 


net.) 


- one MG-reduction is not a MG (shown). 
- one SM-reduction is not a SM. 
- the other SM-reduction is empty. 


- MG-reductions cover, the SM- 


reductions do not cover. 


This example has live markings: The minimal deadlocks are 
(Py> Po» P3}s which is a trap, and {p,, Pa, Pid, which contains the 


trap {P,, py, J. But no live marking is safe. 
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Example 2: 


- one MG-reduction is not SC (shown). 
- the other MG-reduction is empty. 
- one SM-reduction is empty. 


- neither SM-reductions nor MG-reductions 


cover the net. 


Example 3: 


- two MG-reductions (one is shown) are 


SCMG's and cover the net. 
- the two other MG-reductions are empty. 


- same for SM-reductions (the net is 


self-reverse-dual) 


Examples 2 and 3 have no live markings: The empty MG-reduction guaran- 


tees the existence of a killing sequence. 
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Example 4: 


This Petri Net has no live marking, but it contains a live subnet 
{(Py; Py)» (ty, ty)}. This subnet will be covered by every MG- 
reduction. We call such a Petri Net pseudo-live: a pseudo-live 
marking is a marking such that some, but not all, transitions are 


live. 
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MG-reduction no. 1 of Example 4: 


unallocated arc: Py ° t 


3 
The MG-reduction is not a Marked Graph. 
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MG-reduction no. 2 of Example 4: 


unallocated arc: 


- t 


Py “4 


The MG-reduction is not strongly connected. 


The two MG-reductions cover everything except t3- 
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SM-reduction no. 1 of Example 4: 


unallocated are: Ps ° t 


5 


The reduction is not a State Machine and not strongly connected. 
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SM-reduction no. 2 of Example 4: 


unallocated arc: 


Ban tts 


The reduction is not strongly connected. 


The two SM-reductions cover everything except P3° 


This empty page was substituted for a 
blank page in the original document. 
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CHAPTER 6 
Application of the Mathematical Results 


In this chapter, we present the full decomposition of the example 
of a Well-Formed Production Schema shown in 2.3. 

The next pages show first a reproduction of the example and the 
corresponding Petri Net. The labels on the Production Schema indi- 
cate the corresponding Petri Net elements. Some contractions have 
been performed in the translation process, as suggested in 2.4. We 
also have used only one transition to represent the two operations 
labeled j and j' in the Production Schema; this of course does not 
change the structure of dependencies. 

We then present all SM-reductions superimposed in bold on the 
original net. For each reduction, we indicate the SM-allocation by 
crossing out the unallocated arcs. 

We record the progress of the reduction algorithm by numbering 
the elements as they are eliminated. The unallocated places, disap- 
pearing at step 1 (cf 5.3), are labelled (1). The transitions elim- 
inated by the first application of step 2 are labelled (2); those 
eliminated by the are application of step 2 are labelled (2n). The 
places eliminated by the Ode application of step 3 are labelled (2n+1). 

Since there are three two-input transitions, and all other transi- 
tions have a single input place, the unallocated arcs will be chosen 
from three pairs of arcs. We therefore expect eight (27) possible SM- 
reductions. 

However, two different SM-allocations may yield the same reduced net. 
This is illustrated in the first example (SM-reduction No. 1): We no- 
tice that the choice at transition c eliminates transition m on move (4), 
and this independently from the choice made at m. Hence, the choice be- 
tween L and M for the allocation at mis irrelevant: The two allocations 
yield the same reduced net. The same applies to SM-reduction No. 4. 

In SM-reductions Nos. 5 and 6, we also notice a multiple-input tran- 
sition, namely h, that has been deleted. However, this is due to the 
combined choice at c and h; if we allocated G to h instead of K, we do 


not delete h (SM-reductions Nos. 2 and 3). 
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Well-Formed Production Schema 


-93- 


Well-Formed Free Choice Petri Net 


SM-reduction No. 


No. 1 bis 


unallocated arcs: K+ h, I - c, L* m (for 1 bis: M~ m) 
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SM-reduction No. 2 
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SM-reduction No. 3 
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SM-reduction No. 4 
No. 4 bis 
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SM-reduction No. 5 
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SM-reduction No. 6 
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The SM-allocation of SM-reduction 1 is formally the function B, 


consisting of the set of pairs (x, B(x)): 


argument: x € ¥ a bedefieghi jk itl 
value: B(x) € ‘x A B C B F D F GH H J E L 


We get the same reduced net by replacing the argument-value pair 

(m, L) by (m, M). We distinguish the allocations yielding SM-reduction 

No. 1 by calling them SM-allocation No. 1 and No. 1 bis respectively. 
We also note that a reduction may consist of several disjoint 

parts. This should not be surprising, and the warning on page was 

given with this in mind. It is simply convenient not to distinguish 


" context 


between the two interpretations of "strongly connected;' 
usually makes the difference clear when it is relevant (when talking 
about minimal deadlocks for example). We shall say individual SCSM if 

we want to emphasize one component. 

The individual SCSM's (the minimal deadlocks) are the SM-reductions 
Nos. 1, 4, 5, 6. SM-reduction Nos. 2 and 3 are combinations of 1 and 6 
respectively 5. In this net, all minimal deadlocks are required to cover 
the net. In terms of reductions, only three are required: 2, 4, and 5 
for example. 

There are 8 SM-allocations (the product of the number of input arcs 
over all transitions) yielding 6 different SM-reductions and 4 indivi- 
dual SCSM's. Note also that the union of SM-reductions No. 3 and No. 6 
covers all transitions, but leaves out places C and K. 

From the SM-decomposition we can infer a few facts about a possible 


live-and-safe marking. 


- Since there are four minimal deadlocks, and each has at least one 
place that appears in no other individual SCSM (four such places are G, 


K, L, M for example), the maximum number of tokens in the net is four. 


- Since no place is shared by more than two individual SCSM's, but A 
is shared by two SCSM's and H by the other two, the minimum number of 
tokens in a live and safe marking is two. It is also easy to see that 
there is only one live-and-safe marking class, determined by the initial 


marking {A, H} for example. 
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MG-reduction No. 
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MG-reduction No. 2 
No. 2 bis 
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MG-reduction No. 
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MG-reduction No. 6 


No. 6 bis 


aLOTAS 


The MG-reductions have been constructed in an analogous way. 
Again, unallocated arcs have been crossed out. The MG-allocation for 
MG-reduction No. 1, for example, is the function A, consisting of the 


set of pairs (x, A(x)): 


argument: x € Tl A B C D E F G H I J K L M 
value: A(x) € x’ a bc f£ Ll e h i eck homo 


The unallocated transitions are d, g, j. 

Much of what has been said about SM-reductions can be said about 
MG-reductions. We again have 8 MG-allocations (product of the number 
of output arcs over all places) yielding 6 distinct MG-reductions and 
4 individual SCMG's: reductions Nos. 1, 4, 5 and 6.The coincidence 
with SM-reductions is totally fortuitous (even the fact that MG- 
reductions Nos. 2 and 3 are composed of reductions No. 1 plus 6 and 6, 
respectively); to show this, it is enough to imagine an additional choice 
for B, going to F via a new transition n, for example. Now we would have 
12 MG-allocations, and we would get more SCMG's , but the only change to 
SM-reductions would be that the individual SCSM No. 1 would look differ- 
ent in SM-reductions Nos. 1, 2 and 3. 

Note that MG-reduction No. 4 covers all places by itself, but tran- 
sitions e, d and j are not covered. A complete MG-covering would be 
2, 4, 5 for example, consisting of all four individual SCMG's. 

We can consider a covering by SCSM's as a set of State Machines 
communicating by exchanging synchronization signals via shared transi- 
tions h, m and c. Since we interpret the net as a representation of 
some production facility, these transitions correspond to points where 
one process must wait for another. If two transitions, say c and j, 
belong to the same individual SCSM, they may represent facilities 
using the same resources, since they will never compete for common re- 


sources. 
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The decomposition into Marked Graphs shows concurrency among the 
composing State Machines. But it also shows possible complete inde- 
pendencies. For instance, MG-reductions Nos. 2 and 3 consist of two 
disjoint SCMG's. The two SCMG's of MG-reduction No. 2, however, can- 
not operate concurrently, because the individual SCMG No. 5 intersects 
the individual SCSM No. 1 containing SCMG No. 1: SCSM No. 1 would con- 
tain two tokens. But all four individual SCSM's are needed for the 
covering, and hence all must be one-token SCSM's. 

On the other hand, this restriction does not apply to MG-reduction 
No. 2, where the two components are indeed totally independent of each 
other. 

An interesting result for production facilities obtained from the 
Well-Formedness Theorem in connection with MG-reductions is the 


following: 


If a production facility “works properly" for every constant 
set of decisions (constant predicates for multiple choice 
places) (i.e. every MG-reduction is LS, hence SCMG) then it 
"works properly" for any dynamic choice (i.e. the net is LS). 
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CONCLUSION 


This thesis has extended the structural analysis methods to concur- 
rent systems with decisions and conflicts. Before,most work in this area 
was concerned with marked-graph type schemata [3,12]. Baer, Bovet and 
Estrin restricted themselves to directed acyclic bilogical (i.e. con- 
junctive and disjunctive nodes) graphs [1]. The legality they refer to 
corresponds to our Well-Formedness; in that sense this thesis extends 
their work to directed cyclic bilogical graphs. 

The concept of decomposition of Petri Nets seems very promising. 

It permits the identification of meaningful subsystems and their inter- 
connections in a complex system. It may be used to enhance structural 
transparency in the synthesis of complex concurrent systems. It also 
provides criteria for the hang-up free interconnection of State Ma- 
chines, and sheds a new light on the results about the interconnections 
of determinate systems obtained by Patil [17]. 

An interesting field of future research is the semantic interpre- 
tation of the decomposition results, notably the significance of the 
dual coverings -- by Marked Graphs and by State Machines -- of Petri 
Nets. We expect a strong influence in this field from recent research 
on the semantics of Petri Nets, by Holt [11]. 

A different approach to decomposition has been made by Furtek [8]. 
It is based on an analysis of the information flow along arcs that gov- 
erns the token flow at firings. Combining the two approaches should 
prove very fruitful. 

The next step will be to extend our results and methods to wider 
classes of Petri Nets. Simple Nets seem to be the next target, and a 
few results similar to those for Free Choice Nets have already been ob- 
tained for Simple Nets. Ultimately, we hope to gain a full understanding 
of the structural properties of General Petri Nets, and we expect that 
some of the tools provided in this thesis will be useful to that effect. 
If we get theorems and Live-and-Safeness criteria similar to those ex- 
pressed here for a larger class of Petri Nets, we will be able to ex- 
tend the definition of Production Schemata to represent and analyze an 


even larger class of Systems. 
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